HTTP Strict Transport Security (HSTS)

HSTS improves security by requiring all browser connections to use HTTPS rather than HTTP.

Why you need it

HSTS delivers the following benefits:

  • Mitigates the risk of sensitive data leaking out unencrypted.
  • Improves data integrity. HTTPS mitigates the risk of man-in-the-middle attacks because your websiteโ€™s encryption certificate is validated by the end-user's browser.

How it works

HSTS instructs the browser to use HTTPS when making requests to your website. The browser remembers this instruction for an amount of time that you set, so the next time a user visits your website, their browser will use HTTPS.

HSTS works through the use of the Strict-Transport-Security response header. Once a browser receives this header, it prevents sending any communications over HTTP to the specified domain, and sends it all over HTTPS instead. Insecure HTTP links are converted to secure HTTPS links. For example, http://example.com/some/page/ is converted to https://example.com/some/page/ before accessing the server. If the security of the connection canโ€™t be ensured (for example, the server's TLS certificate isn't trusted), the user sees an error message and can't access the site.

๐Ÿšง

When you implement HSTS, your site will no longer accept any requests made using HTTP. Make sure that your site and subdomains are fully tested using HTTPS and that there are no situations where your domain needs to send data over HTTP. To test the configuration, see Test HTTP Strict Transport Security (HSTS).

Features and options

Field

What it does

Sub-options

Enable

Turns the HTTP Strict Transport Security (HSTS) behavior on or off.

Max age

Specifies the maximum length of time that all browsers connect to your site using HTTPS. Changing the value of Max age affects new connections only. Browsers that connected prior to the update continue to use the Max age in effect at the time.

  • **0 minutes (disable HSTS)**. Setting Max age to **0** disables HSTS for all new connections. Browsers that have previously connected will be able to connect using HTTP. Browsers that havenโ€™t previously connected, meaning they never received the HSTS header with the previously configured Max age value, wonโ€™t be able to connect until the Max age expires.
  • **10 minutes**
  • **1 day**
  • **1 month**
  • **3 months**
  • **6 months (recommended)**
  • **1 year**

Include all subdomains

Specifies whether all subdomains are required to use HTTPS. This includes any intranet or delegated hosts in the domain that connect through โ€‹Akamaiโ€‹.

Preload

Adds the domain to the browserโ€™s preload list thatโ€™s hardcoded into Google Chrome, and other browsers that have preload lists based on the Chrome list. You still need to declare the domain at hstspreload.org. The presence of your domain in the preload list means that a browser will connect using HTTPS from the very first attempt, protecting against bootstrap man-in-the-middle attacks. If your domain isnโ€™t in the preload list, the initial connection from a browser will use HTTP, after which your site will send the HSTS header to the browser, requiring it to connect using HTTPS.

Note: The Preload list is updated and distributed when new builds of the browsers are released. It can take months for your domain to be included in the list and propagated to large numbers of users. If you want the domain to be included in the preload list, familiarize yourself with the configuration requirements listed on the submission page at hstspreload.org. Your configuration must meet all of the requirements to be included in the preload list.

Redirect all HTTP requests to HTTPS

When enabled, redirects all HTTP requests to HTTPS. If you do not configure your site to redirect HTTP requests, all connections using HTTP will be ignored.

  • **301 response code** - Permanent redirect
  • **302 response code** - Temporary redirect

Implementation

When you implement HSTS, thereโ€™s a risk that the system will deny access to users when HSTS isnโ€™t configured correctly. For example, your domain may have absolute links or subdomains that will become inaccessible after you configure the domain to require the use of HTTPS. Because of this risk, and the difficulty in reversing the requirement to force connections to use HTTPS, you can configure two rules in the domainโ€™s property that will let you turn HSTS on and off using queries in the requests to the domain.

To implement HSTS for a domain, you need to

  • Verify that the domain is configured to support HSTS.
  • Configure rules and behaviors that will allow you to turn on and turn off HSTS by sending requests from your browser to the domain.
  • Test HSTS in a staging network before implementing it in production.

Make sure the domain supports HSTS

Before you begin implementing HSTS on a domain, make sure that the domain:

  • Uses enhanced TLS. Make sure that the property has a Redirect to HTTPS rule configured with the Redirect Status Code set to 301 Moved Permanently.
  • Uses a certificate that includes the hostnames and subdomains. Browsers will not allow you to ignore certificate errors and will cause the TLS handshake to fail, making the site inaccessible to end users.
  • Doesnโ€™t use any absolute HTTP paths for links or subdomains. After you implement HSTS, absolute paths will be inaccessible.

Limitations on use

If you want to use HSTS, you can't include the following behaviors in any rule that would be applied to the same request:

Add rules to enable or disable HSTS

You can optionally add a series of rules to turn HSTS on and off by sending requests from a browser to the domain.

  1. Add the rule to turn on HSTS.

    1. In Property Manager Editor, click Add Rule.

    2. Select Blank Rule Template from the Available Rules list.

    3. Type Set HSTS in the field.

    4. Click Insert Rule.

  2. Add the match criteria.

    1. Click Add Match.

    2. Select Query String Parameter from the list. Learn more.

    3. Type aka-hsts-max-age in the field.

    4. Select Is one of from the list.

    5. Type 86400 in the field (86400 seconds = 1 day).

  3. Add the HSTS behavior.

    1. Click Add Behavior.

    2. Select HTTP Strict Transport Security (HSTS).

    3. Click Insert Behavior.

    4. Accept the Max Age of 1 day.

    5. Check Include all subdomains.

    6. Check Preload.

    7. Check Redirect all HTTP requests to HTTPS.

  4. Click Save.

  5. Add the rule to turn off HSTS.

    1. Click Add Rule.

    2. Select Blank Rule Template from the Available Rules list.

    3. Type Override HSTS in the field.

    4. Click Insert Rule.

  6. Add the match criteria.

    1. Click Add Match.

    2. Select Query String Parameter form the list.

    3. Type aka-hsts-max-age in the field.

    4. Select Is one of from the list.

    5. Type 0 in the field.

  7. Add the behavior to remove HSTS.

    1. Click Add Behavior.

    2. Select Modify Outgoing Response Header. Learn more

    3. Click Insert Behavior.

    4. Select Remove from the Action list.

    5. Select Other... from the Select Header Name list.

    6. Type Strict-Transport-Security in the Customer Header Name field.

  8. Add the behavior to set max-age to zero.

    1. Click Add Behavior.

    2. Select Modify Outgoing Response Header.

    3. Click Insert Behavior.

    4. Select Other... from the Select Header Name list.

    5. Type Strict-Transport-Security in the Customer Header Name field.

    6. Type max-age=0 in the Header Value field.

  9. Click Save.

Test HTTP Strict Transport Security (HSTS)

Test your HSTS configuration in a staging network before implementing HSTS in your production environment.
In the staging environment, youโ€™ll use the Set HSTS and Override HSTS rules to turn HSTS on and off, so that you can verify that the domain is configured correctly.

๐Ÿ“˜

In the production environment, you must remove the ability to configure HSTS using the Set HSTS and Override HSTS rules. Leaving these rules in place would allow anyone who sends a request that includes the query string path?aka-hsts-max-age= to turn HSTS on and off on your domain.

Test HSTS on staging

  1. Turn on HSTS by sending the following request to your domain: http://yourdomain/path?aka-hsts-max-age=86400.
  2. Verify that connections to the domain are using HTTPS and that all links and subdomains are accessible via HTTPS.
  3. Turn off HSTS by sending the following request to your domain: http://yourdomain/path?aka-hsts-max-age=0.
  4. Repeat these steps until youโ€™re satisfied that the domain is configured correctly.

Test HSTS on production

As part of testing in the production environment, you need to remove the ability to configure HSTS using the Set HSTS and Override HSTS rules. Leaving these rules in place would allow anyone who sends a request that includes the query string path?aka-hsts-max-age= to enable or disable HSTS on your domain.

  1. Click the Override HSTS rule, then select Delete from the Settings.
    The Confirm Delete dialog box displays.
  2. Click Yes.
  3. In Property Manager editor, click the Set HSTS rule.
  4. Delete the match criteria from the rule.
  5. Click Save.
    The HTTP Strict Transport Security (HSTS) behavior that you configured in the rule now applies to the entire domain.
  6. Leave Max Age set to 1 day for at least a week, verifying that connections to the domain are using HTTPS, and that all links and subdomains are accessible via HTTPS.
  7. When youโ€™re satisfied that the domain is configured correctly, edit the behavior to increase the Max Age to the number of days required by any standards that you need to meet.
  8. If you want to include your domain in the HSTS preload list, select Preload.
  9. Click Save.

Next steps

If you want to include the domain in the HSTS preload list, go to https://hstspreload.org/ and submit the domain.


Did this page help you?